AnsweredAssumed Answered

CyberArk Password Vault - Secured Integration

Question asked by Alex Grant on Dec 5, 2019
Latest reply on Dec 6, 2019 by Kristian Nordman

Like • Show 1 Like1
Comment • 1

Hi folks,

I'm trying to integrate IGL 7.1.1 P03 with our CyberArk vault through AIM. I have general connectivity, but I can't seem to nail down the secured connection.

WSDL URL: <AIM-WSDL-URL>

Authentication: One-Way SSL

I've made sure that the root CA cert in my organisation has been added to the /var/lib/ca-certificates/java-cacerts keystore (which is symlinked to $JAVA_HOME/jre/lib/security/cacerts). Its entry type is trustedCertEntry. However, the password vault has difficultly establishing the PKIX path. There are no intermediate certificates, just the root CA and the server certificate.

com.aveksa.server.passwordvault.VaultConnectionException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
......

curl -k <AIM-WSDL-URL> works successfully from the server CLI.

No one else has this question

Outcomes

1 Reply

Kristian Nordman Dec 6, 2019 7:31 AM

Hi!

Certificates are great when they work, but can be fickle to set up. This will be a lenghty post, but should be useful for similar issues with certificates as it is a recurring problem.

One of the tools I use for debugging them is SSLPoke with a wrapper. I'm not sure where I first found it, but it may have been at Test of java SSL / keystore / cert setup. Check the comment #1 for howto. · GitHub .

I'll post the code in full here. Along with a wrapper and a short how-to.

SSLPoke.java

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {
        if (args.length != 2) {
            System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
            System.exit(1);
        }
        try {
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

            InputStream in = sslsocket.getInputStream();
            OutputStream out = sslsocket.getOutputStream();

            // Write a test byte to get a reaction :)
            out.write(1);

            while (in.available() > 0) {
                System.out.print(in.read());
            }
            System.out.println("Successfully connected");

        } catch (Exception exception) {
            exception.printStackTrace();
        }
    }
}

wrapper.sh

#!/bin/bash
/etc/alternatives/java_sdk_openjdk/bin/java \
   -cp . \
   -Djavax.net.ssl.keyStore=/home/knn/mutual-tls-ssl/client/src/test/resources/identity.jks \
   -Djavax.net.ssl.keyStorePassword=secret \
   -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts \
   -Djavax.net.ssl.trustStorePassword=changeit \
   SSLPoke $1 $2

If needed, you can add -Djavax.net.debug=ssl:handshake to the arguments and see a lot more debugging info regarding the certificates. Change /etc/alternatives/java_sdk_openjdk/bin/java to reflect your environment based on the binary used by wildfly.

How to run

./wrapper.sh <host> <port>

$ javac SSLPoke.java
$ ./wrapper.sh www.google.com 443
Successfully connected

From there you can swiftly test your certificate chain to see if your changes are effective or not rather than restart IG&L for each attempt.

With the tools in place, troubleshooting can start.

Grep your processes for wildfly to figure out which jdk/jre is used by IG&lL

[oracle@ip-172-31-20-2 ssl]$ ps aux | grep wild
oracle    6569  0.0  0.0 106116   364 ?        S    Nov27   0:00 /bin/sh /home/oracle/wildfly/bin/standalone.sh --server-config=aveksa-standalone-full.xml
oracle    6677  1.7 27.2 7918292 4479640 ?     Sl   Nov27 220:34 /etc/alternatives/java_sdk_openjdk/bin/java -D[Standalone] -Xms3259m -Xmx3259m -XX:MaxMetaspaceSize=575m -XX:InitiatingHeapOccupancyPercent=10 -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -Djava.awt.headless=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/oracle -Dclient.encoding.override=UTF-8 -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -Dwp-client-hostname=172.31.20.2 -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n -Dorg.jboss.boot.log.file=/home/oracle/wildfly/standalone/log/server.log -Dlogging.configuration=file:/home/oracle/wildfly/standalone/configuration/logging.properties -jar /home/oracle/wildfly/jboss-modules.jar -mp /home/oracle/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/home/oracle/wildfly -Djboss.server.base.dir=/home/oracle/wildfly/standalone --server-config=aveksa-standalone-full.xml
oracle   20674  0.0  0.0 103328   868 pts/1    S+   13:24   0:00 grep wild

In my case it is /etc/alternatives/java_sdk_openjdk/bin/java

From the regular structure of the java installation we know that the cacerts used by default is located at /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts, which is a symlink to ../../../../../../../etc/pki/java/cacerts.

[oracle@ip-172-31-20-2 ssl]$ ls /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts  -lha
lrwxrwxrwx. 1 root root 41 May 13  2019 /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts

This is where you must add your organizations Root CA. You may also need to add your intermediate CA.

Now if you try the SSLPoke against your CyberArk you should see a successful connection.

2 people found this helpful

Actions

CyberArk Password Vault - Secured Integration

Outcomes

Related Content

Recommended Content